Introduction

In order to host 3CX Virtual PBX to leverage modern server hardware to it’s fullest and keep windows installation overhead at a minimum the following guide will show a sample setup of a firewall to serve multiple instances (customers) using 3CX Phone System as Virtual PBX Server.

General Considerations

In order to provide this service to multiple customers a reliable WAN link is an essential aspect as it will enable the customers to connect to the hosted service without issue. Although the reliability of internet access it self is out of the scope of this document, a firewall is just as important to ensure connectivity.

Even though it is not enforced to have a setup which requires a NAT device in place and you can purely rely on the windows firewall, it may become very difficult to manage as your multiple 3CX Virtual PBX server infrastructure grows in time. A more efficient way to manage your network connectivity and security is to implement a centralized firewall that is to carry out the following functions:

Has the ability to be setup in failover mode, however be aware that the pfSense doesNOT support the more common VRRP protocol which is maybe required by the datacenter.

Has the ability to handle high throughput limits and max. connection limits (for high density system operation).

3CX Port Requirement Overview

The 3CX Virtual PBX server requires a set of dedicated ports for each instance and also some shared port ranges which are required by all instances.

Shared Ports

Common Ports to all Instances:

3CX Management Console (HTTP & HTTPS) & Presence - 80 & 443 TCP

Media Server Range - 54,000 – 65,000 UDP Only

Dedicated Ports

Each instance uses 3 ports dedicated to their deployment slot:

Instance 1 - Will dynamically use ports in the range 5000 to 5999. You need to forward:

Phone System SIP Port - 5060 TCP & UDP

Phone System Secure SIP Port - 5061 TCP

3CX Tunnel Service - 5090 TCP and UDP

Instance 2 - Will dynamically use ports in the range 6000 to 6999. You need to forward:

Phone System SIP Port - 6060 TCP & UDP

Phone System Secure SIP Port - 6061 TCP

3CX Tunnel Service - 6090 TCP and UDP

Additional Tenants - Follow the exact same pattern in the following ranges:

Instance 3 - 7000

Instance 4 - 8000

Instance 5 - 9000

Instance 6 - 10000

Instance n - +1000

pfSense Sample Setup

The following sample setup is based on a pfSense firewall. The multiple instance setup has many differences to a single instance setup which can be reviewed here.

Why we have chosen a pfSense for this sample setup:

First and foremost It is free of charge.

It can utilize the already existing failover redundancy features of any hyper V or vmware cluster which may already be utilized for 3CX Virtual PBX installation(s).

Has the ability to be setup in failover mode, however be aware that the pfSense does. not support the more common VRRP protocol which is maybe required by the datacenter.

Simplified installation and maintenance.

Grouping Information

In order to get the best performance from the assigned resources on your pfSense VM, the amount of rules and nat policies should be kept to a minimum. Therefore working with aliases and grouping information into a single place is beneficial for two reasons:

To keep a nice overview of all set policies.

To keep the amount of rules and policies to a minimum.

In the setup we need to group two types of information:

The ports required

The Virtual PBX Server internal IP addresses.

To achieve all this you will need to complete the following 5 steps:

Step 1: Group the internal IP Address range.

Step 2: Group the Shared and dedicated Ports.

Step 3: Add Virtual IPs address.

Step 4: Configure NAT Entries.

Step 5: Add Rules Policy to Allow Traffic into your PBX.

Step 1: Group the internal IP Address range

To group the IP Address Range:

Log on the the pfsense firewall then click the “Firewall” tab and choose “Aliases” from the drop down menu.

In the “IP” tab click the “Add Aliases” button.

Type a name for the group, for example, “cloud_server”.

From the drop down set the type to “Network” and enter the range of all your internal IP addresses.

If you start with only one server you may add the internal IP’s of additional 3CX Virtual Servers at time of the servers creation. In this example we use a range of 11 IP Addresses.

Click “Save”, then click the “Apply Changes” button.

Step 2: Group the Shared and Dedicated Ports

To group the ports referring to the port list above:

From the “Firewall” tab and choose “Aliases” from the drop down menu.

This time switch to the “Ports” tab, click the “Add Aliases” button.

Type a name for the group, for example, “cloud_ports”.

Click the “Add another entry” button and add the first port.

Then add all the shared and dedicated ports into this group by clicking the “Add another entry” button each time to add the next entry.

The port range for the media server can be written in the this format “54000:65000” which defines the entire range.

Click “Save”, then click the “Apply Changes” button.

Network Address Translation

In a Virtual PBX installation the NAT type is set to 1to1 NAT. In order to set this up for 11 3CX Virtual servers follow the steps bellow.

Step 3: Add Virtual IPs address

To configure the Virtual IP Addresses:

Under the section “Firewall” tab, choose “Virtual IPs” from the drop down menu.

In the “Virtual IPs tab”, click the “Add entry” button and add the 11 virtual ip addresses. In this sample the public IP address of the pfSense it self is 1.1.100.1/26.

For the 3CX Virtual PBX server IP addresses 1.1.100.10-1.1.100.20 have been chosen.

Set the type to “IP Alias” and enter the 11 IP Addresses one at a time.

Click “Save”, then click the “Apply Changes” button.

Step 4: Configure NAT Entries

To configure NAT settings:

Under the “Firewall” tab, choose “NAT” from the drop down menu and switch to the “1:1” tab.

Click the “Add entry” button and add the network translation of the external IPs to the internal IPs.

Important: Make Sure that you enter the external subnet IP and the internal IP with the corresponding subnet mask. In our case /26.

Click “Save”, then click the “Apply Changes” button.

Step 5: Add Rules Policy to Allow Traffic into your PBX

The last step is to allow traffic from the outside to to the internal servers.

Under the “Firewall” tab, choose “Rules” from the drop down menu.

Click the “Add entry” button and change the “Protocol” type from “TCP” to “TCP/UDP”.

Specify the address destination: In this example we use “Cloud_server” and use the “Cloud_port” as the destination range.

Click “Save”, then click the “Apply Changes” button.

Summary

With these steps you have created a setup for a total of 275 instances (clients) with as little as 4 rules. In case the customer base grows, add additional Virtual IPs to the gateway, include the internal IP of the 3CX Virtual Server into the “cloud_server” alias group and the server will be ready to go.

Ask a Question

Please only post questions in regards to the document you are currently reading.
Technical support or pre sales questions must be posted via the support or sales channels and such comments will be deleted. Thank you for understanding